-
Notifications
You must be signed in to change notification settings - Fork 7
/
tips.html
121 lines (109 loc) · 8.88 KB
/
tips.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<html lang="en">
<head>
<title>Block CTF: Tips for Getting Started</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico">
<meta name="og:title" content="Square CTF: hacking competition!">
<meta name="og:url" content="https://squarectf.com/">
<meta property="og:type" content="website">
<meta name="og:description" content="Compete to solve security-related challenges.">
<meta property="og:image" content="/og.png">
<meta name="twitter:card" content="summary">
<meta name="twitter:site" content="@SquareEng">
<meta name="twitter:title" content="Square CTF: We make security and hacking more approachable — since 2014.">
<meta name="twitter:description" content="Compete to solve security-related challenges.">
<meta name="twitter:image" content="/og.png">
<meta name="description" content="Compete to solve security-related challenges.">
<meta name="author" content="Square, Inc.">
<link rel="stylesheet" media="screen" href="squarectf.css">
</head>
<body>
<div class="wideline begin">
<span>Block_CTF(2)</span>
<span><a href="index.html"><img src="https://storage.googleapis.com/square-console-production/assets/2380a284d3e59ed8449cdf60c66972abd30d4e1ad24968b4b9f2ad7596f6cc0d4cf5456b67f255ab3231f6f6410be02b527325b4373237e7697e84e221faeaeb.png"></a></span>
<span>Block_CTF(2)</span>
</div>
<h1>Name</h1>
<p>tips-for-getting-started — Practice makes perfect! All our past challenges are
available for you to play. Solutions published by various past teams are also available.</p>
<p>Challenges requiring backend services are packaged using Docker.</p>
<p>Check out our previous years' challenges
challenges.</p>
<h2>Work environment</h2>
<ul>
<li>Some challenges are going to require and/or be easier to solve with Linux. If you don’t have a native Linux install, you can either use a Liveusb or a virtualizer (e.g. <a href="https://www.virtualbox.org/wiki/VirtualBox">VirtualBox</a>). You can use Ubuntu or any other distribution.</li>
<li>You can save some time by pre-installing common programming languages, such as <a href="https://linux.die.net/man/1/gcc">gcc</a> (or <a href="http://releases.llvm.org/download.html">llvm</a>), <a href="https://golang.org/dl/">golang</a>, <a href="https://www.perl.org/get.html">perl</a>, <a href="https://www.ruby-lang.org/en/downloads/">ruby</a>, <a href="https://www.python.org/downloads/">python</a>.</li>
<li><a href="https://github.com/wuntee/vagrant-ctf">Vagrant-CTF</a> is a VM filled with useful tools.</li>
</ul>
<h2>Common linux command line tools</h2>
<ul>
<li><a href="https://curl.haxx.se/docs/manpage.html">curl</a> and <a href="https://www.gnu.org/software/wget/manual/wget.html">wget</a> let you download files and data </li>
<li><a href="https://linux.die.net/man/1/xxd">xxd</a> or <a href="http://man7.org/linux/man-pages/man1/od.1.html">od</a> let you convert files to hex and the other way around</li>
<li><a href="https://linux.die.net/man/1/file">file</a> and <a href="https://linux.die.net/man/1/strings">strings</a> let you get a sense of the type of the file</li>
</ul>
<h2>Network</h2>
<ul>
<li><a href="https://portswigger.net/burp">Burp</a>, <a href="https://www.charlesproxy.com/">Charles</a>, <a href="https://paw.cloud/">Paw</a> and <a href="https://www.getpostman.com/">Postman</a> let you proxy web traffic and intercept/modify it. <a href="https://www.comparitech.com/net-admin/paros-proxy-alternatives/">8 Best Paros Proxy Alternatives</a> lists other similar tools.</li>
<li><a href="https://www.wireshark.org">WireShark</a> and <a href="http://www.secdev.org/projects/scapy/">scapy</a> let you inspect and record network packets.</li>
<li><a href="http://www.networksorcery.com/enp/Protocol.htm">NetworkSorcery</a> has diagrams for many network protocols.</li>
<li>Common protocols are specified as <a href="https://tools.ietf.org/rfc/index">RFCs</a>.</li>
</ul>
<h2>Web tools and web security</h2>
<ul>
<li>Learn to use your browser's developer console (enables debugging web apps, copy network requests as curl commands, etc.)</li>
<li><a href="https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886">The Tangled Web</a> and <a href="https://code.google.com/archive/p/browsersec/wikis/Main.wiki">Browser Security Handbook</a> are useful resources</li>
<li><a href="https://www.owasp.org/index.php/Top_10-2017_Top_10">OWASP</a> maintains information on web vulnerabilities, and <a href="https://www.vpnmentor.com/blog/top-10-common-web-attacks/">this blog post</a> discusses the top 10 most common flaws</li>
</ul>
<h2>X86 assembly</h2>
<ul>
<li><a href="https://linux.die.net/man/1/gdb">gdb</a> (debugger).</li>
<li><a href="https://lldb.llvm.org/">lldb</a>: LLVM's debugger.</li>
<li><a href="https://linux.die.net/man/1/objdump">objdump</a> (disassembler).</li>
<li><a href="http://man7.org/linux/man-pages/man1/ldd.1.html">ldd</a> to view linked libraries.</li>
<li><a href="https://github.com/pwndbg/pwndbg">pwndbg</a> a gdb plugin. Several other plugins (peda, gef) exist.</li>
<li><a href="https://ghidra-sre.org/">Ghidra</a>: open source reverse engineering tool developped by the NSA.</li>
<li><a href="https://rada.re/r/">Radare</a>: a portable reversing framework.</li>
<li><a href="https://www.hex-rays.com/products/ida/">IDA pro</a>. The leading debugger for reverse engineering (~$500).</li>
<li><a href="https://defuse.ca/online-x86-assembler.htm">https://defuse.ca/online-x86-assembler.htm</a> online x86/x64 assembler and disassembler.</li>
<li><a href="https://www.onlinedisassembler.com/odaweb/">https://www.onlinedisassembler.com/odaweb/</a> another online disassembler.</li>
<li><a href="https://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro">A thorough list</a> of disassemblers. Some are free, others aren't.</li>
<li><a href="http://syscalls.kernelgrok.com/">Linux syscalls</a></li>
</ul>
<h2>Practice, practice, practice!</h2>
<ul>
<li><a href="https://cryptopals.com/">Cryptopals</a> is a collection to ~50 cryptography challenges. They become progressively
harder and they cover topics related to modern ciphers.</li>
<li><a href="http://overthewire.org/wargames/">Overthewire</a> has been around for over 10 years and has some great challenges.</li>
<li><a href="http://www.wechall.net/">Wechall</a> - list of wargame websites.</li>
<li><a href="https://ctftime.org/">CTFtime</a> - calendar of past and upcoming CTF events.</li>
<li><a href="https://security.stackexchange.com/questions/3592/what-hacking-competitions-challenges-exist">A great list</a> on security.stackexchange.com.</li>
<li><a href="https://adventofcode.com/">Advent Of Code</a> - annual programming event. The puzzles are not security related, but the event and subreddit are fun.</li>
</ul>
<h2>Other resources</h2>
<ul>
<li><a href="https://securitybaron.com/blog/cryptography-and-coding-information/">Cryptography And Coding Information</a></li>
<li><a href="https://trailofbits.github.io/ctf/">https://trailofbits.github.io/ctf/</a></li>
<li><a href="http://resources.infosecinstitute.com/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf-competition-or-challenge/#gref">http://resources.infosecinstitute.com/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf-competition-or-challenge/#gref</a></li>
<li><a href="http://resources.infosecinstitute.com/what-a-challenger-perceives-in-most-of-the-ctf-categories-or-challenges/#gref">http://resources.infosecinstitute.com/what-a-challenger-perceives-in-most-of-the-ctf-categories-or-challenges/#gref</a></li>
<li><a href="https://www.endgame.com/blog/technical-blog/how-get-started-ctf">https://www.endgame.com/blog/technical-blog/how-get-started-ctf</a></li>
<li><a href="https://github.com/ctfs/resources">https://github.com/ctfs/resources</a></li>
<li><a href="https://github.com/sobolevn/awesome-cryptography">https://github.com/sobolevn/awesome-cryptography</a></li>
<li><a href="https://www.doyler.net/security-not-included/ctf-resources">https://www.doyler.net/security-not-included/ctf-resources</a></li>
<li><a href="http://phrack.org/issues/49/14.html">http://phrack.org/issues/49/14.html</a></li>
<li><a href="https://github.com/fdiskyou/Zines">https://github.com/fdiskyou/Zines</a></li>
</ul>
<h1>See also</h1>
<p>
<a href="https://block.xyz/careers">Work_at_Block(1)</a>,
<a href="https://squareup.com/legal/privacy">Privacy_policy(1)</a>,
<a href="code_of_conduct.html">Code_of_conduct(1)</a>
</p>
<div class="wideline end">
<span>Block, Inc.</span>
<span>(c) <script>document.write(new Date().toLocaleString("en-us", {month: "long", year: "numeric"}));</script></span>
<span>Block_CTF(2)</span>
</div>
</body>
</html>